Making Choices that Lead to Stronger Vulnerability Management

According to Coalition's research, Common Vulnerabilities and Exposures (CVEs) are expected to increase by 25% in 2024 to a shocking height of 34,888 vulnerabilities, or roughly 2,900 per month. As attack surfaces continue to expand rapidly, business leaders face mission-critical choices in increasing their cyber defenses to improve vulnerability warning, patch management, and incident response.

Through our honeypot data and view into our cyber insurance policyholders' attack surfaces, security tools, and workflows, Coalition has identified the key technology choices that place businesses at risk — as well as the choices that are proving most effective.

Short-Sighted Business Choices

Several factors contribute to the current state of weak vulnerability management, making organizations more susceptible to cyberattacks.

First, companies often leave security teams under-resourced and overworked. These cyber workforce challenges — from worker shortages and cyber skill gaps to security burnout — continue weighing down security teams. Information security professionals are enduring extreme alert fatigue, inhibiting their ability to quickly track, patch, and remediate vulnerabilities.

Second, choosing to use disparate flagging systems keeps critical information on the latest threats siloed. Companies and their customers are at risk because key resources are managed separately: The National Institute of Standards and Technology's (NIST) Common Vulnerability Scoring System (CVSS) scores, the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and miscellaneous (and often belated) security advisories from vendors all come from distinct sources. The onus then is transferred to each organization to stay on top of all these different information sources. Worse, now that NIST is facing major backlog issues, its National Vulnerability Database can no longer be seen as a source of truth, complicating the picture further.

Third, companies don't always put business resources into closing the talent gap. ISC2 found that while the cybersecurity workforce grew 8.7% year over year in 2023, the workforce gap grew an additional 12.6%. Supply is outpacing demand, and security teams are simply strapped.

Finally, choosing to ignore technical debt keeps old and outdated software a high-risk target. Legacy technologies and companies' massive lists of technology subscriptions not only take up security budgets, but they also expand businesses' attack surfaces. Many businesses don't have the budget to explore new security tools or approaches because they are weighed down by technical debt.

Risky Technical Choices

Security teams must make smarter choices about the overlooked risks threat actors continue to successfully target and exploit year after year: unpatched vulnerabilities, Internet-exposed technologies, and end-of-life (EOL) technology.

First, understand that vulnerabilities can turn seemingly small software flaws into active attacks, so putting off patching is a risky decision. In a recent example, a nation-state attack from a North Korean threat group targeted a Windows zero-day vulnerability left unpatched for six months. This vulnerability's scale and business impacts are still unknown but pose a massive, ongoing risk for organizations.

Second, organizations need to pay more attention to their easily exploitable, Internet-exposed technologies. For example, Coalition found scans from unique IP addresses looking for Remote Desktop Protocol (RDP) increased by 59% from January 2023 to October 2023, indicating that cybercriminals are still targeting this vulnerable technology to gain operating system access.

Finally, companies often decide to keep outdated and EOL technologies running until they break down completely — or get penetrated. Threat actors upped their attacks on outdated, out-of-date software this last year. Coalition's report found that 10,000 businesses are running EOL database Microsoft SQL Server 2000, while over 100,000 businesses are running EOL Microsoft SQL servers. If left unaddressed, outdated technology and technical debt will cost organizations in the US trillions of dollars in the coming years.

As threat actors continue to search for the easiest risks to exploit and monetize, strengthening an organization's cyber resilience can be as simple as identifying the most easily addressable risks.

Smarter Choices for Security Teams

Our research shows that choosing to implement a few leading solutions improves vulnerability management and will continue to do so in the foreseeable future.

First, security professionals can leverage threat intelligence tools, like honeypots, to identify hackers' tactics, techniques, and procedures. These tools help serve as an early warning system for new threats. For example, Coalition uncovered cybercriminal activity related to the 1,000% 2023 MOVEit vulnerability spike in mid-May, two weeks before Progress Software and CISA issued their advisories. This early alerting helped our policyholders remediate the vulnerability and avoid related cyber incidents and impending cyber insurance claims. Meanwhile, the vulnerability cost the broader cyber ecosystem $15.6 billion.

Second, defenders should employ artificial intelligence (AI) to help them generate and contextualize alerts across the security ecosystem. While the cyber industry works to overcome the cybersecurity risks of AI, vendors are also finding new ways to battle adversaries with the technology. For example, Coalition's Exploit Scoring System incorporates multiple data sets and analyzes them with AI to help companies manage and prioritize risk mitigation.

Finally, remember to pair continuous threat detection and response management with a human traffic guard. The human power of security teams will lift cogent businesses over risky ones. While AI and machine learning are key to catching vulnerabilities, patching with intelligence requires people — strategic human partners who can act on the AI's automated insights.